The Coast Guard published Marine Safety Information Bulletin 10-19, "Cyberattack impacts the operations of the MTSA facility, ”In December to inform the maritime community of a recent incident related to a ransomware intrusion in a facility regulated by the Maritime Transport Security Act (MTSA).
Forensic analysis is currently ongoing, but the virus, identified as "Ryuk" ransomware, may have entered the MTSA installation network through an email phishing campaign. Once an employee clicked on the malicious link embedded in the email, the ransomware allowed a threat actor to access important files from the enterprise information technology (IT) network and encrypt them, preventing installation access to critical files. The virus was further buried in industrial control systems that monitor and control load transfer and encrypted files critical to process operations. Impacts on the installation included a disruption of the entire corporate IT network (beyond the installation footprint), the disruption of physical and camera access control systems, and the loss of critical monitoring systems for monitoring processes These combined effects required the company to close the main operations of the facility for more than 30 hours while responding to a cyber incident.
More information about Ryuk ransomware is available at US certificate website UU..
At a minimum, the following measures may have prevented or limited the violation and reduced recovery time:
- Intrusion detection and intrusion prevention systems to monitor network traffic in real time
- Industry standard and updated virus detection software
- Centralized and monitored host and server logging
- Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
- Updated IT / OT network diagrams
- Consistent backups of all critical files and software
The Coast Guard recommends that facilities use the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST) and Special Publication NIST 800-82 when implementing a Cyber Risk Management Program.
The Coast Guard urges maritime stakeholders to verify the validity of the email sender before replying or opening any unsolicited email message. In addition, facility owners and operators must continue to evaluate their cybersecurity defense measures to reduce the effect of a cyber attack. This release has been issued for public information and notification purposes only.
For more information on best practices related to ransomware and other resources, visit the Cybersecurity and Infrastructure Security Agency (CISA) ransomware resource page.
As a reminder, suspicious activity and security breaches, including infractions of telecommunications equipment, including computer, system and network security measures that support the functions described in the security plan must be reported. installation or that could contribute to a Transportation Safety Incident (TSI). the National Response Center (NRC) at (800) 424-8802. For additional guidance on defining and reporting cyber incidents, see CG-5P Policy Letter 08-16, "Report suspicious activity and security breaches."
The Coast Guard encourages companies and their facilities to remain vigilant in identifying and promptly reporting suspicious activities related to cyber. Questions related to this bulletin can be directed to the Domestic Ports Division of the Office of Port and Port Facilities Compliance at (202) 372-1109.